ZenBox

Legal

Privacy Policy

ZenBox is built privacy-first. We read message headers only, never the body, and we never sell your data.

Effective June 26, 2026 · ZenBox (operated by Utkarsh Kumar) · Bengaluru, Karnataka, India

1. Information we collect

  • Account data: your email address and unique user ID from Google Sign-in.
  • Gmail metadata (headers only): sender address, subject line, date, read/unread state, and the standard List-Unsubscribe headers. We do not read message bodies.
  • OAuth tokens: Google access and refresh tokens, encrypted at rest with AES-GCM before being stored.
  • Aggregate stats: per-sender counts (total, last 7d, last 30d, unread), priority score, last-seen timestamp.

2. How we use your data

  • To group your inbox by sender and rank the noisiest subscriptions.
  • To execute unsubscribe actions you explicitly trigger.
  • To detect breaches involving your linked email addresses via free public providers (HIBP, XposedOrNot, LeakCheck).

We never train models on your data. We never sell or rent your data. We do not run third-party advertising or behavioural analytics.

3. Google API Services User Data Policy

ZenBox's use of information from Google APIs adheres to the Google API Services User Data Policy, including the Limited Use requirements. We only request the minimum Gmail scopes required (gmail.readonly, gmail.modify for unsubscribe actions) and only use the data to provide the user-facing features described above.

4. Storage location

Cloud-stored data lives in our managed Postgres database. You may switch to Local-only mode at any time from Settings — this purges your aggregated sender data from our servers and keeps it in your browser only. OAuth tokens always remain encrypted in the database (required to call Gmail).

5. Data retention

Sender stats are retained while your account is active. Disconnecting a Gmail account or deleting your ZenBox account purges all associated rows immediately. Backups roll over within 30 days.

6. Your rights

  • Access, export, or delete your data from Settings or by emailing privacy@utkarshkr.in.
  • Revoke Google access at any time from your Google account permissions.
  • Delete your account in one click at /delete-account.

7. Subprocessors

  • Managed Postgres — database, auth, hosting.
  • Google — OAuth identity provider; Gmail API.
  • Cloudflare — DNS, edge proxy.

8. Children

ZenBox is not directed at children under 13 and we do not knowingly collect their data.

9. Changes

We'll update this page and the effective date above when the policy changes materially.

10. Contact

Privacy questions: privacy@utkarshkr.in
Security reports: security@utkarshkr.in